Closed
Description
- Version: any
- Platform: any
- Subsystem:
THE PROPOSAL:
- Add Node.js CLI option to control freezing of
Object.prototype
on startup - As possible, emit a deprecation warning whenever
Object.prototype
is modified. - Over time (e.g. Node.js v11+), enable freezing of
Object.prototype
by default.
JUSTIFICATION:
The issue formalizes proposal/discussion started here: https://www.reddit.com/r/node/comments/7y341t/quick_cve20183721_proto_from_jsonparse_mitigation/
- It's a known poor practice to modify
Object.prototype
in production code. - There are known vulnerabilities related to overriding of
__proto__
properties under some conditions.- There are also plenty of closed Node.js issues one or another way related to the problem.
- Packages which override
toString()
,valueOf()
or other standard names require just minor modifications.- e.g. use of
Object.defineProperty()
, assigning a new object to class.prototype
with the key already defined or other variation.
- e.g. use of
- There are known popular libraries like
should.js
which will break:- users can fallback to old behavior through the command line option described above
- users can migrate to expect/assert or other assertion interface
- As Node.js has already seen Promise-related enforcements, why not to do that for
Object.prototype
as well?